dcrat | 18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Size

1.8MB
MD5

e00bc016a35cf87fb0db9dc0d6c3b8b8
SHA1

0281222335121e2e85a88a754c8451679084f8c0
SHA256

18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919
SHA512

a0a3281ce3dcacdd2a5c2848e514a1c54dca44eab3b06be68c1fd175a082742a06580af1158f79102c8229249911442aea7afc36ed6ca4e944d4594db2ae41f7
SSDEEP

24576:FcVMaOQA6hGM5SXggIREn1a0BnuvmgwVhlMv5mXwVzO5PEBYrbZH02KhAbB5YakG:F8zAqHRE1nnu+NYoAV6mobRZKyrY

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\", \"C:\\Windows\\Offline Web Pages\\System.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\", \"C:\\Windows\\Offline Web Pages\\System.exe\", \"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\", \"C:\\Windows\\Offline Web Pages\\System.exe\", \"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\", \"C:\\Windows\\Offline Web Pages\\System.exe\", \"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Windows\\assembly\\tmp\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Logs\\Telephony\\csrss.exe\", \"C:\\Windows\\Offline Web Pages\\System.exe\", \"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\", \"C:\\Windows\\debug\\RuntimeBroker.exe\", \"C:\\Windows\\assembly\\tmp\\RuntimeBroker.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4572	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4704	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3656	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	3952	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3952	schtasks.exe	82

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1896	powershell.exe
1132	powershell.exe
2112	powershell.exe
4580	powershell.exe
4996	powershell.exe
2444	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\assembly\\tmp\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\assembly\\tmp\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\debug\\RuntimeBroker.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\Telephony\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Logs\\Telephony\\csrss.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Offline Web Pages\\System.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Offline Web Pages\\System.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Users\\Default\\Application Data\\StartMenuExperienceHost.exe\""	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCDBDBBA27BCDC495ABE9C98DF882C5D68.TMP	csc.exe
File created	\??\c:\Windows\System32\ljh0xx.exe	csc.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\RuntimeBroker.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\Offline Web Pages\System.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File opened for modification	C:\Windows\assembly\tmp\RuntimeBroker.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\assembly\tmp\9e8d7a4ca61bd9	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\debug\RuntimeBroker.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\debug\9e8d7a4ca61bd9	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\Logs\Telephony\csrss.exe	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
File created	C:\Windows\Logs\Telephony\886983d96e3d3e	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2284	schtasks.exe
1428	schtasks.exe
2292	schtasks.exe
3992	schtasks.exe
2600	schtasks.exe
3656	schtasks.exe
2660	schtasks.exe
4088	schtasks.exe
5076	schtasks.exe
4824	schtasks.exe
4572	schtasks.exe
1968	schtasks.exe
4496	schtasks.exe
2088	schtasks.exe
4796	schtasks.exe
2864	schtasks.exe
1908	schtasks.exe
4704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1000	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1000	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 1504	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	86
PID 3152 wrote to memory of 1504	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	86
PID 1504 wrote to memory of 3148	1504	csc.exe	88
PID 1504 wrote to memory of 3148	1504	csc.exe	88
PID 3152 wrote to memory of 4580	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	104
PID 3152 wrote to memory of 4580	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	104
PID 3152 wrote to memory of 2112	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	105
PID 3152 wrote to memory of 2112	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	105
PID 3152 wrote to memory of 1132	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	106
PID 3152 wrote to memory of 1132	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	106
PID 3152 wrote to memory of 4996	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	107
PID 3152 wrote to memory of 4996	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	107
PID 3152 wrote to memory of 1896	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	108
PID 3152 wrote to memory of 1896	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	108
PID 3152 wrote to memory of 2444	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	109
PID 3152 wrote to memory of 2444	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	109
PID 3152 wrote to memory of 1124	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	115
PID 3152 wrote to memory of 1124	3152	18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe	115
PID 1124 wrote to memory of 956	1124	cmd.exe	118
PID 1124 wrote to memory of 956	1124	cmd.exe	118
PID 1124 wrote to memory of 224	1124	cmd.exe	119
PID 1124 wrote to memory of 224	1124	cmd.exe	119
PID 1124 wrote to memory of 1000	1124	cmd.exe	123
PID 1124 wrote to memory of 1000	1124	cmd.exe	123

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
"C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jw5xwjff\jw5xwjff.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC217.tmp" "c:\Windows\System32\CSCDBDBBA27BCDC495ABE9C98DF882C5D68.TMP"
    3⤵
    PID:3148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\Telephony\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\tmp\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tVgQRvzxRx.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:956
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe
    "C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Logs\Telephony\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Logs\Telephony\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\Telephony\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Application Data\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\tmp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\assembly\tmp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\tmp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c9191" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c9191" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\Temp\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919.exe.log

Filesize
1KB

MD5
af6acd95d59de87c04642509c30e81c1

SHA1
f9549ae93fdb0a5861a79a08f60aa81c4b32377b

SHA256
7521ee2d065a78efcab55a194fbd78492f84b70595f139263875f4ea92b194d6

SHA512
93ab99bcf588fde553de3240e0d2b0cbd4e4bc5ef5e99d53f45a267d7ff30103a80b5a7aa1c52d6eff1e070af0ec82d2c0b8aafb7099742aa16810edc1815c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
6c14b13b09ca3250b8c108b05aa1afb0

SHA1
18e50e6f1f445add8dbfd7441dba50b4d36f42f0

SHA256
a147f4fb3ba4dee9197d7192ce22385e2c5da6987ab044bd2d2d2b7adac71c4a

SHA512
feca9dd078055a76d09290c2e6ff9dae608bdff807fe7e742ea4961a4877f2b5eb3d9d171941dfd0f19cebd1cebed7d35b3d6cbbecfe7ddfda5daf2bb4f85f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC217.tmp

Filesize
1KB

MD5
e961d77558a79c6258472db2dfda4244

SHA1
08a28bd62658d0ed2d9301c42442cee25aac1207

SHA256
a65e9b1833b3c3d2036fb6a2dde238b54db6179c3b89a9457f6d6bdc0c30d1dc

SHA512
a1f7096936afd9d1e7dc82e20b2807d38fa6cf45cf55691d1745d37f707b6632f0aee7dae133e5a9dec0fb5641a2d7b90efa3cf171d63b5396e4a0f5e4494af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjdkwgve.24j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tVgQRvzxRx.bat

Filesize
278B

MD5
84b09dd4c25521e88e823c470fe4eb9a

SHA1
6423937648aea3c290b0d0c0871e89285b74a5e5

SHA256
d87572ac8fc637dbe0d741bae32399471ca94434e430c838a05f7e6af887fe20

SHA512
d5ebe3a592155cecb52fdd6c91d9711ee94c8b93289c7d2a47edd71a6dd668ef459fd1f1aebd1847ab388600a8f11c687eda51c4b797cefc9655a0ad3a8e1499

Download Submit
C:\Windows\Logs\Telephony\csrss.exe

Filesize
1.8MB

MD5
e00bc016a35cf87fb0db9dc0d6c3b8b8

SHA1
0281222335121e2e85a88a754c8451679084f8c0

SHA256
18a6abdb4cbcda4ac8cd3dcfeed13ff1506b6355912f6a7f479fdcd4a3f2c919

SHA512
a0a3281ce3dcacdd2a5c2848e514a1c54dca44eab3b06be68c1fd175a082742a06580af1158f79102c8229249911442aea7afc36ed6ca4e944d4594db2ae41f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jw5xwjff\jw5xwjff.0.cs

Filesize
367B

MD5
1c49aa26faba65d2b4a962bfabaa1737

SHA1
600a76ae208a0d28ef512ff4ca5ba5a33ee54d65

SHA256
00732f0d24828e267c12fb2812cbe78c9132b189d84ecb090ecada7d71840904

SHA512
7b987205e0c04f688730ecd8285d4072f67ffcf872764493d6bce075f8b28c801b145729f92b0e553022380fcea62ecabb57b777b3336c33a1aa753011af36d4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\jw5xwjff\jw5xwjff.cmdline

Filesize
235B

MD5
600c0115c2ce42983c811f931175e70c

SHA1
c906d35fcc29a7e335cf4b7b36ad7aade158c9c5

SHA256
8e1a04bfd2dc70cb2f3e39ee7a8cd4d6086856ba4c123c009a71e79e21110a96

SHA512
79e3279e4794c47a0b1b4a1a5dbed9d70b3869e5ce0ec792b520439330d0db164df192b968ad8609653bc72928fd08a7dbaf4739d8d9d5a0807821db9e57aa42

Download Submit
\??\c:\Windows\System32\CSCDBDBBA27BCDC495ABE9C98DF882C5D68.TMP

Filesize
1KB

MD5
2fd2b90e7053b01e6af25701a467eb1f

SHA1
68801a13cebba82c24f67a9d7c886fcefcf01a51

SHA256
12b900db56a20f01f0f1d65f46933971415d5b5675e59e8b02b3dae12aaa1527

SHA512
081d3a621e3664709867f3fdd82808364978f896fb007c0c8e6c8dfe25f2f2b8d37c9e0b2e4fb51c90bc6f691507b569e5d841ef3ca3bd38bd6adda2d30f32af

Download Submit
memory/1000-124-0x000000001BB00000-0x000000001BBA9000-memory.dmp

Filesize
676KB

Download
memory/2112-59-0x000001E6713E0000-0x000001E671402000-memory.dmp

Filesize
136KB

Download
memory/3152-10-0x0000000002D80000-0x0000000002D9C000-memory.dmp

Filesize
112KB

Download
memory/3152-11-0x000000001B930000-0x000000001B980000-memory.dmp

Filesize
320KB

Download
memory/3152-30-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-28-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-17-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-15-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/3152-13-0x000000001B8E0000-0x000000001B8F8000-memory.dmp

Filesize
96KB

Download
memory/3152-48-0x000000001BF00000-0x000000001BFA9000-memory.dmp

Filesize
676KB

Download
memory/3152-49-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-29-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-0-0x00007FFA105F3000-0x00007FFA105F5000-memory.dmp

Filesize
8KB

Download
memory/3152-8-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-5-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-7-0x0000000002D40000-0x0000000002D4E000-memory.dmp

Filesize
56KB

Download
memory/3152-4-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-3-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-2-0x00007FFA105F0000-0x00007FFA110B1000-memory.dmp

Filesize
10.8MB

Download
memory/3152-1-0x0000000000AA0000-0x0000000000C7A000-memory.dmp

Filesize
1.9MB

Download